Deployment Considerations

The following guide describes a set of recommended best practices for a production deployment of Couchbase Mobile.

Security

Authentication

In a Couchbase Mobile production deployment, administrators typically perform operations on the Admin REST API.
If Sync Gateway is deployed on an internal network, you can bind the adminInterface of Sync Gateway to the internal network.
In this case, the firewall should also be configured to allow external connections to the public interface port.

To access the Admin REST API from an entirely different network or from a remote desktop we recommend to use SSH tunneling.

Authorization

In addition to the Admin REST API, a user can be assigned to a role with additional privileges.
The role and the user assigned to it can be created in the configuration file.
Then, the Sync Function’s requireRole() method can be used to allow certain operations only if the user has that role.

Data Model Validation

In a NoSQL database, it is the application’s responsibility to ensure that the documents are created in accordance with the data model adopted throughout the system.
As an additional check, the Sync Function’s throw() method can be used to reject documents that do not follow the pre-defined data model.

HTTPS

You can run Sync Gateway behind a reverse proxy, such as NGINX, which supports HTTPS connections and route internal traffic to Sync Gateway over HTTP.
The advantage of this approach is that NGINX can proxy both HTTP and HTTPS connections to a single Sync Gateway instance.

Alternatively, Sync Gateway can be configured to only allow secure HTTPS connections, if you want to support both HTTP and HTTPS connections you will need to run two separate instances of Sync Gateway.

Database Encryption

Database Encryption is not currently supported in 2.0.
This feature will be available in the next version of Couchbase Lite.

Managing Tombstones

By design, when a document is deleted in Couchbase Mobile, they are not actually deleted from the database, but simply marked as deleted (by setting the _deleted property).
The reason that documents are not immediately removed is to allow all devices to see that they have been deleted—​particularly in the case of devices that may not be online continuously and therefore not syncing regularly.

To actually remove the documents permanently, you need to purge them.
This can be done in both Couchbase Lite and via the Sync Gateway REST API.

Beginning in Couchbase Mobile 1.3, documents can have a Time To Live (TTL) value - when the TTL expires the document will be purged from the local database.
Note that this does not affect the copy of the document on any other device.
This concept is covered in more detail in the
Document guide.

Depending on the use case, data model and many more variables, there can be a need to proactively manage these tombstones as they are created.
For example, you might decide that if a document is deleted on a Couchbase Lite client, that you want to purge the document (on that device) as soon as the delete has been successfully replicated out to Sync Gateway.
Then later on Sync Gateway, set an expiration so that they are automatically purged after a set period (perhaps a week, or a month, to allow for all other devices to sync and receive the delete notifications) - more on this later.
If a document is deleted on the Sync Gateway itself (say by a batch process or REST API client), you may similarly want to set a TTL, and on the Couchbase Lite devices you can monitor the
Database Change Notifications and purge locally whenever a document is marked as deleted.